1. No category

On Partial-Function Application in Z

On Partial-Function Application in Z
David A. Duy
Department of Computer Science, University of York
Heslington, York, YO10 5DD
E-mail: [email protected]
Abstract
We discuss the application of partial functions to elements outside their domain
in the context of the Z language and CADiZ tool. We illustrate some surprising
results that can arise, and show that they may be readily justied, but also
show that undesirable results can arise that are less readily resolved. We oer
two possible resolutions, one that involves a simple change to, for example,
free types, and another more contentious approach that involves, in particular,
a new semantics for Z. We discuss the advantages and disadvantages of both
approaches.
1 Introduction
Partial functions in Z [8] are simply relations with the property that if they
\return a value" that value is unique. There is some debate as to the meaning
of the application of such functions to arguments outside their domain. Arthan
[2] outlines the main options and proposes a classical approach for reasoning
purposes in which a function application in a specication is assigned an
arbitrary value from the function's range in any particular interpretation (\premodel") for . This semantics explains why, if f and g are partial functions
from N to N , then f (0) = f (0) holds in all models, but f (0) = g(0) need not
even if both f and g are undened for 0: f (0) and g(0) may be assigned dierent
values from (the carrier set of) N .
This semantics for partial-function application may or may not be embedded into the standard semantics for Z currently being developed; the standard
semantics might assign the same range value to all \undened" function applications of the same type. Any proof system that is sound with respect to
Arthan's proposed semantics is, of course, sound with respect to the more restrictive semantics. CADiZ [9], a tool developed at the University of York that
supports analysis of Z specications, is consistent with Arthan's approach in
that it accepts as valid f (0) = f (0), but not f (0) = g(0) (unless forced to by
the axioms of the specication). In this paper, we take CADiZ as representative
of proof systems for Z (such as ProofPower [5]), with regard to the treatment
of partiality. Thus, Arthan's approach provides the starting point for our investigation. However, we go a step further, and consider the scenario in which it
is impossible to assign a range value to a function application in any model. In
3rd Northern Formal Methods Workshop, 1998
1
other words, we consider the scenario in which adding a denedness condition
such as f (0) 2 N would make a specication unsatisable.
Apparently, this scenario has been investigated previously,1 and there are
unpublished notes on the subject, but in each case it was decided that any benets accrued are outweighed by anomalous results. We argue that the partialfunction applications of realistic specications may have this property, that the
apparently anomalous results they produce are not so disconcerting as they
might at rst seem, and that there is a major benet from allowing them in
that the specier is no longer required to know the domain of a partial function
in order to avoid contradictions when writing down axioms dening the function.
However, we show that allowing such function applications can make a typical
Z specication inconsistent, and we proceed to oer two possible resolutions
to this problem, one involving modication of our specications, and the other
involving modication of our inference systems. We discuss the advantages and
disadvantages of each approach.
The presentation of the paper is as follows. In the next section we discuss
partial functions in a general setting, independently of Z, and describe a simple
realistic specication in which the denedness problem arises. In Section 3, we
then review partial functions from the Z standpoint, illustrating some surprising
and undesirable properties that function application can have in Z, and show
how the surprising results may be readily justied. We are then in a position
to present in Section 4 our resolutions to the undesirable results. The second of
these involves modication to the typical laws and inference rules implemented
in reasoning systems for Z; we specify the necessary changes (for a subset of Z)
in Section 5, provide a semantics for our Z expressions in Section 6, and justify
our proof rules with respect to this semantics in Section 7. We go on to discuss
some of the consequences of both our resolutions in Section 8, including those
that are apparently anomalous, and argue that these apparent anomalies are
in fact reasonable. Finally, we present some conclusions on what we have done
in Section 9, reviewing some of the advantages and disadvantages of our two
approaches.
We are concerned almost exclusively with the semantics of function application in this paper, and how it interacts with the semantics of the rest of the
system. For this reason, we will consider only a limited subset of Z, omitting
discussion of, for instance, schemas; the subset should be suciently inclusive to
demonstrate our approach in a non-trivial context. For similar reasons, we will
also take only a semi-formal approach to the presentation of our semantics in
Section 6. Typical current formal approaches translate each Z construct into a
core language, and then dene the semantics of the core language via a mapping
into ZF set theory. We map each Z construct (of our subset) into an informal
set-theoretic language with types. Our approach more closely resembles standard semantic denitions given in text books on logic. This approach was found
not to work for the full Z language, principally due to the inclusion of schemas,2
but it is adequate for our subset.
While we do not consider in detail Z-like languages such as B [1], we believe
that our semantics should be applicable to them, perhaps with minor modications. In the case of B itself, we must take account of a distinction that may
1
2
Sam Valentine, private communication
Ian Toyn, private communication
3rd Northern Formal Methods Workshop, 1998
2
be made between a well-formed and a well-typed formula. For instance, the
formula 8x x + 0 = x is well-formed, but for type-checking purposes we must
add the constraint x 2 N , say, to give 8x (x 2 N ) x +0 = x); we may say that
this formula is well-typed. If we consider the well-typed language of B, then
the application of our Z semantics to B is quite straightforward, since B has
the same type system as Z. On the other hand, we consider later the possibility
of including in Z formulae that are not well-typed; it might be argued that, in
principle, B already allows such expressions.
2 What are partial functions
From the mathematical perspective, independently of Z, we may distinguish two
types of partiality (cf. [11]).
Case 1: A function f is partial if it is not explicitly assigned any value for
certain arguments. Viewed computationally, that is, viewing the \dening axioms" for f as, say, a set of rewrite rules (if the axioms are equations), f may
or may not terminate on these arguments.
Example: Suppose we are given
Spec1 ==
[f; g; h : N ! N j
8u : nats f (succ(u)) = u
8v : nats g(succ(v)) = g(0)
8w : nats h(0; w) = 0
8x; y : nats h(succ(x); y) = h(succ(x) , y; y)]:
In Spec1, f is not dened for 0 and g is not dened for any v 2 N . The function
h is non-terminating for x = 0; y = 0 if its dening equations are treated as
rewrite rules from left to right (as presented), and if, for t of type A , t , 0
simplies to t; since there are no other dening axioms for h(succ(0); 0), h is
undened over these arguments | h(succ(0); 0) could, however, be assigned the
value 0, say, without inconsistency with Spec1 arising.
Case 2: A function f is partial if imposing denedness conditions on f results
in inconsistency.
Example: Suppose we are given
Spec2 ==
[q : N N ! N j
8w : nats q(0; w) = 0
8x; y : nats q(succ(x); y) = succ(q(succ(x) , y; y)]:
The partial function q may be interpreted as a \quotient" function over N ; the
important property of Spec2 is that q(succ(0); 0), representing 1/0, is assigned
no numeric value. Not only is q nonterminating for x = 0; y = 0, but we
have q(succ(0); 0) = succ(q(succ(0); 0)), so if we add the denedness constraint
q(succ(0); 0) 2 N , then we get 9z : N z = succ(z ) (contradicting the usual
axioms for N ).
Case 1 is consistent with the standard Z-user view of partial functions in
the sense that any function that satises Case 1 could be declared as partial in
3rd Northern Formal Methods Workshop, 1998
3
a Z specication without any perceived inconsistency arising. This is the case
that Arthan accounts for [2]. Case 2 is more contentious. It might be argued
that any function (in a Z specication) satisfying Case 2 should be rejected as
inconsistent with its declaration. According to this view, it should always be
possible to assign to any function application some value from the function's
range (that is, the set S 0 in the declaration f : S ! S 0 for f ). However, there
are several counterarguments.
Firstly, Spec2 describes what seems to be a reasonable specication in which
the function q cannot return a numeric value for certain arguments, though
its range is N . Secondly, since we cannot bar non-termination, it would seem
pointless (though not impossible for \semi-recursive" functions [6]) to bar Case
2. Thirdly, and perhaps most signicantly of all, barring Case 2 would, from the
perspective of function application, make redundant the declaration of functions
as partial in Z, since a partial function f : S ! S 0 would have the property
8x : S 91 y : S 0 f (x) = y
(at least if S 0 is a type expression), exactly as for a total function. We discuss
this fourth justication for Case 2 further in the next section.
3 Partial Functions and Z
In Z, a relation r with declaration r : S $ S 0 , for sets S and S 0 , is a subset of
S S 0 : r has type P (T T 0), where P T and P T 0 are the types of, respectively,
S and S 0 , and the dening axiom for r is 8p : r (p:1 2 S ^ p:2 2 S 0 ). Partial
and total functions, with declarations of the form f : S ! S 0 and f : S ! S 0 ,
respectively, are relations with further restrictions expressed by axioms in the
language of Z. A partial function f has the extra property
8p; q : f p:1 = q:1 ) p = q;
while a total function f : S ! S 0 is a partial function with the restriction that
its domain is the whole of S . These denitions raise the question: what happens
when a partial function is \applied" to an object outside of its domain. In fact,
Z allows arbitrary relations to be applied as functions, and thus we cannot rely
on the special property of partial functions in dening application.
The fundamental point to note is that the denition of relation imposes only
the constraint of well-typedness on the application of a relation as a function,
and the denition of partial function is only a little more restrictive. A relation
application r(s) is well-typed if r has type P (T T 0) and s has type T ; r(s)
then has type T 0. Partial functions impose the additional constraint that if
(x; y) 2 f is a consequence of the specication, then f (x) = y is a consequence;
the converse need not hold. Even total functions may be applied to objects
outside their domain without introducing inconsistency. We illustrate these
points with the following specications.
SpecA ==
[f : N $ N j
(1; 1) 2 f
f (1) = 2]
3rd Northern Formal Methods Workshop, 1998
4
SpecB ==
[f : N ! N j
f (,1) = 0
f (2) = ,2]
SpecC ==
[f : N ! N j
f (,1) = ,1
f (,2) = 2]
These specications are \consistent" in Z in the sense that, from the axioms
currently associated with relation and function declarations, we cannot derive a
contradiction (P ^ :P , for some P ) via the inference rules normally associated
with Z (as in CADiZ). The rst two specications illustrate the facts that a
relation may be applied to objects (e.g. 1 in SpecA) for which it is not uniquely
dened, and a partial function may be applied to (or return) objects outside its
domain (or range), as in the rst and second axioms of SpecB. As illustrated by
SpecC, even a total function may be consistently applied to objects outside its
domain, and, if so, may return an object outside its range. (We are not claiming
that anybody would wish to write specications such as that above, but if they
are consistent in Z, then we should be able to oer, for instance, a semantical
justication for them.)
The justication for these surprising properties of function application, that
is, the consistency of the above specications, is that the axioms given assert
properties about each function application, not about the functions themselves.
In particular, f (a) = b, where f (a) and b are appropriately typed, does not imply
(a; b) 2 f . Formally, in the models of a specication, a function application f (a)
may be assigned a total function App [2]. To account for the fact that, if there
is a unique b such that (a; b) 2 f , then f (a) = b, we must impose constraints on
App as in the following denition.
Denition: In a specication , let f be an expression (representing an n-ary
function) of type P(T1 T2 ), and let arg be an expression of type T1. If, in an
interpretation for , T1 and T2 are assigned, respectively, the (\carrier") sets
T1 and T2, f is assigned the function fI , and arg is assigned the value a 2 T1,
then
App(fI ; a) == the unique z such that (a; z ) 2 fI if such a z exists
== some z in T2 otherwise.
Thus, the value of a function application is not a value assigned to the function
itself (that is, the function is not \totalised" | cf. [12]), but to the application
operator. In fact, what we assign to any Z function symbol (partial or total)
in a model is simply a relation satisfying the constraints imposed by Z's partial
and total function axioms.
More problematic are specications involving denitions such as that of q in
the previous section. The problem becomes most apparent if we reexpress the
denition in terms of a free type, as opposed to N (which is dened as a subset
of the type A in standard Z). We thus introduce the free type nats, and dene
the functions di and quot in terms of nats.
3rd Northern Formal Methods Workshop, 1998
5
section SpecQ
nats ::= o j shhnatsii
di ; quot : nats nats ! nats
8x : nats di (x; o) = x
8x; y : nats di (s(x); s(y)) = di (x; y)
8y : nats quot(o; y) = o
8x; y : nats quot(s(x); y) = s(quot(di (s(x); y); y)
The rst line of SpecQ introduces a free type: a given set nats together with
Peano-style axioms for o (denoting zero) and s (denoting successor). The axioms
CADiZ associates with the free type nats have some (syntactic) dierences from
typical Peano axioms for N [4], but the induction principle is typical, and the
property 8x : nats :x = s x is a logical consequence.
The main diculty with SpecQ is that it is provably inconsistent in CADiZ.
We discuss a proof of its inconsistency further in the next section. We note here
merely that we can prove quot(s o; o) 2 nats in CADiZ, and therefore that
8x; y : nats quot(s(x); y) = succ(quot(di (succ(x); y); y)
contradicts the property 8x : nats :x = s x of the free type nats.
There are several reasons why the inconsistency of Q is unfortunate. Firstly,
the denition looks reasonable. Secondly, it is correct for the intended set,
fx; y : N j x > y ^ y > 0g; where N denotes the natural numbers. Thirdly, the
fact that the denition for quot is nonterminating for quot(s o; o) is consistent
with our assumption that division of 1 by 0 is undened (that is, is not a natural
number). Fourthly, and perhaps most importantly, if we bar this denition, then
this means that the Z specier must know the domain of quot, before dening it
by a set of equations, in order to avoid inconsistency; but in that case it would
seem preferable that quot be dened as a total function from nats natsnfog
to nats. Thus, the utility of partial functions is substantially undermined if
denitions such as that of quot are inconsistent.
4 Resolving the Inconsistency
We propose two resolutions to the inconsistency issue raised in the preceding
section. The rst is the more straightforward, but involves explicitly modifying
specications, while the second is more contentious, but leaves specications
unchanged, modifying instead the usual laws and inference rules for Z.
4.1
Modifying Free Types
The rst solution is straightforward: the sets introduced by a free type (e.g. nats
above) are not given type status, but are made subsets of types. In particular,
we may associate with the set nats the type nats . Thus, nats becomes the
given set, and nats is declared by nats : P nats. The other declarations and
axioms for nats in the original free-type expansion remain unchanged.
Now any partial function f : nats ! nats may return a value from nats
when it is not specied or is unable consistently to return a value from nats.
If we refer to as nats, the set nats nnats, then nats, may be viewed as the
\undened values" of nats, though, as we indicate in Section 8 below, it is
preferable to view them as \super values" of nats.
3rd Northern Formal Methods Workshop, 1998
6
One incidental benet of this process is that we may reintroduce the intuitive
relationship between function application and membership. We may add as a
property of any partial function over, say, nats, that
8x; y : nats f x = y ) (x; y) 2 f:
The problem with adding this property if nats is taken to be a type is that it
collapses f into a total function. For if nats is a type, then we have
8x : nats 9y : nats f x = y;
consequently, with the above property, we would have 8x : nats 9y : nats (x; y) 2 f , making f total. However, if nats is the type and nats merely a
subset, then we do not automatically have 8x : nats 9y : nats f x = y,
and f remains total only over its domain (that subset of nats over which its
application always returns a value of nats).
The problem with this approach is that the set nats must be explicitly
included within the specication. Thus, either the specier must build up the
free type from scratch in order to include nats or the analysis tool must automatically add it and the declaration nats : P nats. The rst possibility clearly
undermines the benets of free types, while the second solution is likely to be
disconcerting to the specier, particularly if no partial functions are involved in
the specication.
4.2
Modifying the Inference Rules
The alternative approach is more contentious in that it involves distinguishing
between `having type T ' from `being a member of T ', in order to allow a welltyped function application to \return a value" not a member of its range type.
For instance, if nats is a given set, f is a partial function from nats to nats,
and o 2 nats holds, then f (o) has type nats, but may or may not be in nats.
The advantage of this approach is that the set nats now becomes the carrier
set of nats in a model, and thus becomes a metalogical concept; the specier
is now unable to refer directly to nats , and consequently is unable to make
statements about all of its possible members. Moreover, speciers need not even
be aware of nats if they do not have partial functions in their specications;
the name nats may now, of course, be used freely within a specication.
The major disadvantage is that we must make some changes to the laws of Z
and the inference rules of typical proof systems for Z such as CADiZ. However,
these changes are not especially contrived; the new laws and rules coincide with
our intuitions about the properties of sets. We believe that the changes also
highlight some interesting properties of Z and CADiZ, and make the concept of
a type more than just a way of avoiding meaningless expressions (such as (0,1)
= f1,2,3g) and Russel-style paradoxes [8].
The required changes hinge on the fact that we can currently prove f (o) 2
nats in CADiZ if nats is a given set (or free type), if o 2 nats is an axiom, and
if f has declaration f : nats ! nats. Analogously we can prove quot(s o; o) 2
nats, our earlier example. One such proof proceeds as follows.
Sketch of Proof:
Consider the set Q == fx; y : nats j true quot(x; y)g. First, we show, in
3rd Northern Formal Methods Workshop, 1998
7
CADiZ, that SpecQ ` quot(s o; o) 2 Q | we omit SpecQ in the following
for brevity. This involves expanding quot(s o; o) 2 Q to 9x; y : nats j true quot(s o; o) = quot(x; y); x and y are then instantiated with s o and o, respectively, via quantication tac, and we subsequently show ` o 2 nats and
` s o 2 nats (properties of the free type nats), and ` quot(s o; o) = quot(s o; o),
an axiom in CADiZ.
Now we show that Q = nats. This involves an expansion of set equality via
the following expansion rule:
S = S 0 =) 8u : T u 2 S , u 2 S 0 ;
where S; S 0 are sets and P T is their type. Thus, we derive the subgoal
` 8u : nats u 2 Q , u 2 nats.
u 2 nats reduces (via CADiZ's absorption rule) to true, and another absorption
reduces u 2 Q , true to u 2 Q. We now apply 8 elimination and then
membership expansion to derive
u : nats ` 9x; y : nats j true u = quot(x; y):
We may now instantiate x and y with, respectively, u and s o, and use the
denitions of di and quot and an induction over nats to complete the proof of
this step.
Finally, we apply Leibniz to quot(s o; o) 2 Q via the equality Q = nats to
get quot(s o; o) 2 nats, completing the proof of our original goal.
Since we have a proof that quot(s o; o) 2 nats holds in CADiZ, we cannot
separate the carrier set nats into nats+ (the elements of nats) and nats, (the
\undened" values of type nats) and argue that the meaning of quot(s o; o) in a
model is some element of nats,. Thus, if we are to take this line (formalised in
Section 6), we must nd a \aw" in the above proof. We agree that quot(s o; o) 2
Q holds, and accept the application of Leibniz. This leaves the second part of the
proof in which we apply the expansion rule for sets. We propose the following
alternative expansion rule:
S = S 0 =) 8u : S u 2 S 0 ^ 8u : S 0 u 2 S:
Unfortunately, we can still prove Q = nats via CADiZ's rule of normalisation:
x : (x ) j x 2 t ` ;
x:t`
where (x) denotes the type of x. The proof proceeds as follows.
Sketch of Proof:
Expanding Q = nats via the new expansion rule we get
8u : Q u 2 nats ^ 8u : nats u 2 Q.
Via ^ and 8 elimination we derive two subgoals:
u : Q ` u 2 nats, and
u : nats ` u 2 Q.
The proof of the second subgoal proceeds via an inductive proof of 8u : nats u = quot(u; s o), as above, and we do not contend it. The proof of the rst
subgoal proceeds via two applications of normalisation:
u : nats j u 2 Q ` u 2 nats, then
3rd Northern Formal Methods Workshop, 1998
8
u : nats j u 2 nats; u 2 Q ` u 2 nats,
which is an axiom.
Thus, in outline, we have proven Q = nats. Consequently, we must change
the rule of normalisation to sustain the distinction between nats and nats+ :
we replace (x) by t in the hypothesis; see Section 5. We are now unable to
prove Q = nats, since we are unable to prove u : Q ` u 2 nats, normalisation
now reducing this merely to u : Q j u 2 Q ` u 2 nats.
We must show that these new expansion and inference rules do support the
possibility of a term having a value not a member of its type. This may be done
via a soundness proof for the rules with respect to an appropriate semantics.
We present such a semantics and an outline of the soundness proof in Sections 6
and 7, respectively. First we must describe the syntax of the expressions we
allow and present our inference rules more fully.
5 Syntax and Inference Rules
In this section we describe the subset of Z expressions that we are concerned
with, and our expansion and inference rules relating to this subset. We refer to
all allowed syntactic objects as `expressions', distinguishing between `predicates'
(i.e. propositions) and `terms', as opposed to `predicates' and `expressions'.
5.1
The Syntax of Expressions
Types:
Type ::= TypeName j P Type j Type Type
(TypeName denotes a given set.)
Declarations:
Decl ::= BasicDecl; : : : ; BasicDecl
BasicDecl ::= DeclName; : : :; DeclName : Term
Each DeclName is said to be introduced by the declaration; its type is T if the
type of Term is P T .
Terms:
Term ::= Const j FreeV ar j Tuple j TupleSel j Application j SetExp
Const is a name introduced by a declaration within a specication, while
FreeV ar is a free variable, a name introduced by either a declaration within
a sequent or a quantication in a predicate (e.g. all occurrences of x in the P
part of 8x : N P ; all occurrences of x are said to be bound in 8x : N P ).
Tuple ::= (Term; : : : ; Term)
An n-tuple of terms (t1 ; : : : ; tn ), where n 2, may be abbreviated t; the type
of (t1 ; : : : ; tn ) is T1 Tn, where Ti is the type of ti .
TupleSel ::= t:i
where t a term of type T1 Tn for some n, and i is a value of N between
1 and n.
Application ::= f Term
where f is a Term of type P (T1 T2 ) and Term has type T1 ; the type of the
application is T2 .
3rd Northern Formal Methods Workshop, 1998
9
SetExp ::=
SetName j fTerm; : : : ; Termg j fDecl j Predg j fDecl j Pred Termg
j P SetExp j SetExp SetExp
A SetName is a declared name (possibly a TypeName) of type P T for some
Type T . The elements of a set must all have the same type T ; the type of the
set is then P T .
Predicates:
Pred ::=
true j false j R Term j Term = Term j Term 2 Term
j :Pred j Pred ^ Pred j Pred _ Pred j Pred ) Pred j Pred , Pred
j 8 Decl Pred j 9 Decl Pred j 91 Decl Pred
where R is a relation symbol | R Term is, of course, not an application. Such
relational predicates may be represented with inx notation, as in 2 < 3.
5.2
The Inference Rules
We describe our inference rules in terms of sequents, here expressions of the
form D j , ` | we omit generic parameters | where D is a declaration,
and ,, called the antecedent(s), and , called the consequent(s), are nite lists
(representing sets) of Z predicates separated by commas. Our rules are closely
based upon those of CADiZ. However, apart from the necessary modications
of CADiZ's inference and expansion rules indicated above, we have simplied
several of CADiZ's rules to take account of our more restricted language; in particular, since we have not included expressions in our subset, we combine into
one inference CADiZ's expansion of a function application into a expression
and its -tac inference rule.
We omit from our proof system explicit inference rules for ); ,; 9 and
91 , making the assumption that predicates involving these logical symbols are
merely abbreviations for others involving only :; _; ^; 8 and, in the case of 91 , =.
As is usual in the descriptions of sequent proof systems for Z, we also omit from
the sequents in our rules any information that is not relevant to the inference.
Our inference rules have either the form HC , where H is a collection of sequents referred to as the hypotheses and C is a sequent referred to as the conclusion, or the form C , denoting axioms (inference rules without hypotheses).
We denote by P (t) the fact that the predicate P contains the term t, and by
P (s=t) the replacement of t with s. A substitution of an n-tuple of terms t for
an n-tuple of free variables x within a predicate P is denoted P fx ! tg.
Tautologies: We have as axioms
j False `
` True
j`
Declaration normalisation: For a set or type expression , we have
x:jx2`
x:`
Function-application expansion: Let P be a predicate containing an application
f t, let (s) denote the type of the term s, and let F abbreviate (t; x) 2 f . We
3rd Northern Formal Methods Workshop, 1998
10
have:
` 91 x : (f t) F; P (f t) j 91 x : (f t) F ` 9x : (f t) F ^ P (x=f t)
` P (f t)
j P (f t) ` 91 x : (f t) F j 91 x : (f t) F; 9x : (f t) F ^ P (x=f t) `
j P (f t) `
Equality reasoning: For = we have an axiom and two pairs of inference rules:
reection: ` t = t
commutation:
js=t` `s=t
jt=s` `t=s
Leibniz:
j s = t; P (s=t) ` j s = t ` P (s=t)
j s = t; P (t) `
j s = t ` P (t)
Connectives:
: introduction:
_ introduction:
^ introduction:
8 quantier:
8 introduction:
`P
j :P `
` P; Q
`P _Q
`P `Q
`P ^Q
jP`
` :P
jP ` jQ`
j P _Q`
j P; Q `
j P ^Q`
D0 ` P ;
` 8D P
where D0 is D with any variables renamed to avoid clashes with names introduced by declarations in the specication or in the conclusion.
8 substitution:
j 8 D P ^ Q ) P 0 fx ! tg ` ;
j 8D P `
where x is the n-tuple of variables introduced by Decl, t is an n-tuple of terms,
Q is a conjunction of memberships ti 2 Si for each declaration xi : Si in D,
and P 0 is P with any bound variables renamed to avoid clashes with names
occurring in t. (This rule combines CADiZ's quantication tac tactic, onepoint
rule, and absorption rules.)
The inference rules are applied backwards in CADiZ to reduce a goal to
subgoals. Thus, in particular, the introduction rules become elimination rules.
Expansions: An expansion rule X =) Y is a law that allows any instance of
X to be replaced by Y . We assume that these laws are meta-level (expressed
3rd Northern Formal Methods Workshop, 1998
11
outside Z), like the inference rules, but always produce Z expressions. Our expansion rule for memberships are exactly as in CADiZ; for example, S 2 P S 0,
for set expressions S and S 0 , may be expanded to 8x : S x 2 S 0 . However, we
replace CADiZ's expansion rule for set equality as indicated in Section 4.2.
This new expansion rule is, of course, entirely reasonable, as is our rule of
it is unfortunate that set equality cannot be dened as equivalence of membership (say, 8x x 2 S , x 2 S 0 ), as in classical set theory [4],
but then we would need a type for x, and this would take us back to CADiZ's
denition. More importantly, when new concepts | and corresponding expansion rules | are introduced, such as , we must be careful to ensure that they
satisfy the expected properties. For example, should be dened by a law with
the same expansion as membership of P. If, instead, it is dened by
normalisation;
S S 0 , 8x : T x 2 S ) x 2 S 0 ;
where P T is the type of S and S 0 , then we will no longer have
S 2 P S0 , S S0
as a consequence of our proof system (though CADiZ's unchanged normalisation
rule would allow this equivalence to be proven). For example, we would have
(trivially) ff og nats (assuming f o has type nats), but not necessarily ff og 2
P nats. We will discuss this issue further in Section 8.
6 The Semantics of the Subset
In this section we will describe what we believe to be an intuitively straightforward and natural semantics for the expressions of our subset of Z. This semantics
provides a meaning for terms that may not be assigned a value of their type.
We will subsequently show that our expansion and inference rules are sound
with respect to this semantics.
As mentioned previously, since our principal goal is merely to describe the
meaning of partial-function applications in the context of a substantial subset of
Z, our semantic \target language" will be an informal set-theoretic one, which
itself includes disjoint \types" T1; T2; : : : for each Z type expression T1 ; T2; : : :.
We do not concern ourselves with the interpretation of such a language, in
particular, the sets T1; T2; : : :, in terms of, say, ZF set theory, this being a
problem to be resolved by the Z standards committee.
In our semantics, we follow the \classical" approach discussed by Arthan [2],
where undened expressions are assigned some element of the appropriate type.
However, in order to allow a well-typed function application to \return a value"
not a member of the function's range type, we distinguish `having type T ' from
`being a member of T '. We formalise this as follows.
Let be a well-typed specication involving a type T . In an interpretation
for we assign a set T to T , constructed according to the form of T as follows.
If T is a given set, then T is the union of two (possibly empty) disjoint
sets T + [ T ,.
If T is a power set P T1, then T == P(T1).
3rd Northern Formal Methods Workshop, 1998
12
If T is a product T1 Tn , then T == T1 Tn.
Note that + and , are operators applied to the set T to produce a subset; it is
not strictly necessary to treat + and , as operators | we might have dened
T to be T + [ T , | but the operator view simplies the presentation of the
meaning of membership `2' below. However, we will often abbreviate T + and
T , to, respectively, T + and T ,. Informally, T + and T , may be interpreted
as, respectively, the dened values of T and the undened values of type T . It
is preferable, however, to view elements of T , not as undened values, but as,
say, \super values" of type T , since they may have various properties assigned
to them; for example, if f (0) is an \undened" expression of type A , and g is
a function from A to A , then we may have g(f (0)) = 0, without inconsistency
arising.
Any set expression S introduced by a specication will have a type P T ,
and will thus be assigned a subset of T in an interpretation. For example,
ff (o)g, with type P nats, will be assigned the set consisting of the value of
f (o) whether this value is in nats+ or nats, . If S is a non-type set expression
whose type is the powerset of a given set G, and S is the set assigned to S
in an interpretation, then the application of + to S simply produces S itself;
clearly, S + may or may not be a subset of G+ . We also dene (P )+ == P +
and (1 n )+ == +1 +n for any types or sets (in the models)
; 1 ; : : : ; n , analogously to *. Similarly, for values v1 ; : : : ; vn , (v1 ; : : : ; vn )+ =
(v1+ ; : : : ; vn+ ). For any other interpretation value v we dene v+ == v.
In the following, we view any name n introduced by a declaration n : S
within a Z specication as a constant of the appropriate type, and thus assign
a single meaning to it in any interpretation. Names introduced by declarations
in sequents, on the other hand, are viewed as free variables, and for a sequent
to be \valid" it must be \true" in every interpretation under all (well-typed)
assignments to its free variables.
We are now able to dene the meaning of our Z expressions in an interpretation I , under an assignment [d] to any free-variable occurrences. In the
following, let S; Si denote set expressions, Di denote a declaration, P; Q denote
predicates, ai denote a free variable or a constant, x; xi denote free variables,
c denote a constant, s; t; ti denote terms, f denote a term of type P(T T 0)
for some T; T 0, and R denote a relation symbol. In the language of our models
we use the same symbols P; and brackets f; g; (; ) as are used in Z, since no
confusion should arise. However, because the relationship between 2 of Z and
membership in the models is not straightforward, we use for membership
in the model language. The symbol == is our metalogical equality. (The total
function App is dened as before.)
Declarations:
I (D1 ; : : : ; Dn )[d] == I (D1 ^ : : : ^ Dn )[d]
I (a1 ; : : : ; an : S )[d] == I (a1 2 S ^ : : : ^ an 2 S )[d]
Terms:
I (c)[d] == cI , an element of T , where T is the type of c.
I (xi )[d] == di , the ith element of [d]
I ((t1 ; : : : ; tn ))[d] == (I (t1 )[d]; : : : ; I (tn )[d])
I (t:i)[d] == I (ti )[d], where ti is the ith element of the tuple t.
3rd Northern Formal Methods Workshop, 1998
13
I (f t)[d] == App(I (f )[d]; I (t)[d])
I (ft1 ; : : : ; tn g)[d] == fI (t1 )[d]; : : : ; I (tn )[d]g
I (fx : S j P g)[d] == fy j y I (S )[d]+ ; I (P )[d; y]g,
where y is a meta-language variable assigned to x.
I (fD j P tg)[d] == fI (t)[d; v] j I (D)[d; v]; I (P )[d; v]g,
where v is a sequence of (meta-language) variables v1 ; :::; vm assigned to the
variables introduced by D.
I (P S )[d] == P(I (S )[d])
I (S1 Sn )[d] == I (S )[d] I (S 0 )[d]
Predicates:
I (true)[d] == True
I (false)[d] == False
I (:P )[d] == True
i I (P )[d] == False
I (P _ Q)[d] == True
i I (P )[d] == True or I (Q)[d] == True
I (P ^ Q)[d] == True
i I (P )[d] == True and I (Q)[d] == True
I (t 2 S )[d] == True
i I (t)[d]+ I (S )[d]+
I (R t)[d] == True
i I (t)[d]+ I (R)[d]
I (s = t)[d] == True
i I (s)[d]+ == I (t)[d]+
I (8x : S P )[d] == True i I (P )[d; a] == True for all a I (S )[d]+
In the nal equation, a is assigned to any occurrences of x in P . The meaning
of more general universal quantications (e.g. 8x; y : S ; z : S 0 P ) is similar.
Example:
I (fx : N j :x = 0 f (x)g) == ff (y) j y N + ; y 6= 0I g+
== ff (y) j y N ; y 6= g
where, in the standard model, N is the set of natural numbers and is zero.
I (f (0) = succ(f (0))) == (App(I (f ); 0I ) == App(succI ; App(I (f ); 0I ))).
We may now dene models and consequence in the usual way.
Denition: An interpretation I is said to be a model of a specication if all
the axioms in are satised by I (i.e. have the value True in I ).
In a model (if one exists) of a specication including
f : N ! N and f (0) = succ(f (0)),
the value of App(fI ; 0I ) will be non-numeric, but of type A .
Denition: Let X = (x1 ; :::; xn ) be the sequence of free variables occurring in
the declarations D in the conjecture D j , ` . Then the conjecture is said to be
a consequence of a specication if every model of satises ,^ ) _ under
all assignments [d1 ; :::; dn ] to X , where ,^ is the conjunction of the members of
, and _ is the disjunction of the members of .
For example, (0; 0) 2 f does not follow from the specication
[f : N ! N j f (0) = 0],
since App(fI ; 0I ) must be equal to 0I in any model of the specication, but
(0I ; 0I ) 2 fI need not hold.
3rd Northern Formal Methods Workshop, 1998
14
7 Soundness of our Rules
In this section we demonstrate that our expansion and inference rules are consistent with the above semantics, via a soundness proof, and contrast this with
the CADiZ rules. This should make sense of our semantics from the perspective
of a typical Z/CADiZ user.
We say that an inference rule is sound if, whenever the hypotheses are a
consequence of a specication, so is the conclusion. By an induction on proof
structures we may show that soundness of our inference rules implies that our
proof system is sound in the sense that, if a sequent X is proven from a specication , then X is a consequence of (cf. [3]). We thus concern ourselves
merely with the soundness of our rules.
If we translate a conjectural sequent D j , ` , for non-empty , and ,
into the Z sentence 8 D ,^ ) _ , then the sequent is a consequence of a
specication i the sentence is True in every model of . (If , and/or is
empty, we may replace them by, respectively, true and false in the corresponding sentence.) We may thus show that, for each inference rule, if the hypotheses
translated into sentences are True in every model of , then so is the conclusion. We signify that a sentence S is True in all models of a specication by
j= S .
Theorem: Our inference rules are sound.
Proof:
Tautologies: The tautologies are clearly True in all models, and thus sound
when viewed as axioms.
Normalisation: This rule is sound if 8x : S x 2 S ^ ) j= 8x : S ) , for
arbitrary Z predicates and , and set or type expression S . With the assignment [d] omitted for brevity, the meaning of the antecedent in an interpretation
is
8y y I (S )+ ) (y I (S )+ ^ I ( ) ) I ());
but this simplies to
8y y I (S )+ ) I ( ) ) I (),
which is the meaning of the consequent.
Function-application expansion: For a \function" f P(T1 T2), and argument a 2 T1,
App(f; a) == the unique z such that (a; z ) 2 r if such a z exists.
The rst hypotheses of each inference rule for function application is concerned
with showing that such a z exists for the function expression f and argument t.
If it does exist, then we may assume its unique existence, and replace P (f t) by
its equivalent 9x : (f t) F ^ P (x=f t), which is what the second hypotheses of
each inference rule does.
Equality reasoning: The inference rules of reection, commutation, and Leibniz
are clearly sound for the equality of non-type terms, since the meaning of such a
term of type T is simply some element of T , and the meaning of equality over
T in a model is the \identity" relation over T . Equality of types also satises
these rules, since if T1+ = T2+, then T1 = T2 by the disjointness of the model
3rd Northern Formal Methods Workshop, 1998
15
types, and so the interpretation of equality is again the identity relation. The
only dicult case is the equality of sets with types. If we have, for instance,
S = T in our specication, where S is a set expression and T is a type expression, then this implies that the meaning of S in a model is the same as T +, not
T ; we do not have identity in the model. However, commutation clearly holds,
and Leibniz holds because the meaning of 2; =, and so on, refer only to the sets
S + for any set or type S , so the meaning of any predicate will be unchanged by
the replacement of S by T (or vice-versa) if I (S )+ and T + are the same.
Connectives: The soundness of these is straightforward.
8 quantier: 8 introduction is sound, since 8 D true ) P is equivalent to
true ) 8 D P . The soundness of 8 substitution holds because
(Q ) P 0 fx ! tg) ) j= (8 D P ) ) ,
where D; P; Q, x and t are as in the inference rule, and is any predicate.
Membership Expansion: We justify only the expansion of powerset membership,
leaving the other cases to the reader. Essentially, S1 2 P S2 means S1+ P S2+,
while 8x : S1 x 2 S2 means 8x x S1+ ) x S2+ . These are clearly equivalent
according to the usual meanings of ; P, and so on.
Set-Equality Expansion: Essentially, S1 = S2 means S1+ = S2+ , while the meaning of 8x : S1 x 2 S2 is as above, and similarly for 8x : S2 x 2 S1 . Clearly,
the meanings of the two sides of the expansion are equivalent.
The original CADiZ normalisation rule is unsound with respect to our semantics, since t 2 S ) t 2 (t) may be false. The original CADiZ set-expansion
rule is unsound with respect to our semantics, since S and S 0 , with type P T ,
may have the same elements from T , and thus be the same according to the
CADiZ rule, but may have dierent elements of type T ; for example, S might
be ff og and S 0 might be ff (s o)g, where I (f o) 6= I (f (s o)) and neither f o nor
f (s o) are in their type nats.
8 Properties of the Semantics
In our semantics, t = t always holds, but a conjecture such as 9x : A f (0) = x,
where f has the declaration f : A ! A , may not hold. Applying existential
instantiation with x bound to f (0) results in an identity, f (0) = f (0), apparently
proving the conjecture. However, there is a side condition to be proven, namely,
f (0) 2 A , and this membership may not hold according to our semantics, since
the fact that f (0) has type A does not imply that f (0) 2 A .
As an example where \non-terminating" functions are involved, consider the
following specication, based upon an example given by Smolka and Nutt [7]:
[f : N ! N j 8n : N f (n) = succ(f (n))]
If f had been declared to be a total function, then it would be possible to prove
` f (0) f (0) ^ :f (0) f (0),
a contradiction, but this is not surprising since a consequence of the axiom
\dening" f is that f has no numeric value for any natural-number argument.
This is a problem for Smolka and Nutt since they have only total functions; to
3rd Northern Formal Methods Workshop, 1998
16
solve the problem they introduce an error element and make f total on the set
?N = N + ferrorg. However, since f is dened as partial, no contradiction arises
in our semantics. The reason the attempted proof of the contradiction fails is
that again a membership constraint arises, f (0) 2 N .
These properties of our semantics seem reasonable, but there are other properties that may appear anomalous. Firstly, our \undened" values may have
properties, apparently contradicting their undened status. For example, we
might have g(f (0)) = 0 as an axiom, though f (0) has no value in its range (i.e.,
is \undened"). However, this holds for function applications that are undened merely in the sense that they have not been explicitly assigned a value.
For example, we might have f (0) > 3 as an axiom, though f (0) has no explicit
value according to the specication; that is, a model might assign any element
of N nf0; 1; 2; 3g to f (0). We preempted this argument by pointing out that our
\undened" values should more accurately be referred to as \super" values.
A second, more disconcerting, aspect of our semantics is that our super
values may have counterintuitive properties.
Example: Suppose we have a relation > : P(N N), a function f : N ! N,
and the usual axiom for >, 8x : N :x > x. No contradiction arises if we add to
a specication with just these declarations and axiom, the properties f (0) > 0
and f (0) < 0, the reason being that, to contradict the given axiom, f (0) must
be assigned a value in N and there are models in which it is not assigned such
a value.
Our rst justication for this apparently anomalous result is that f (0) has the
unexpected properties only because it has been assigned them by the specication. Of course, even if the axioms f (0) > 0 and f (0) < 0 had not been added
to the specication, there would still be models of the original specication in
which they hold, but, in that case, we would not be able to prove that they hold
as a consequence of the specication.
Secondly, we argue that the counter-intuitive nature of this result partly
arises from the choice of the symbol > for our relation. Consider a specication
in which we have a relation R : P(A A ), and the axiom 8x : N :R(x; x);
clearly no contradiction arises (formally or intuitively) if we add R(1 2; 1 2),
where `' denotes division: a model for this specication is one in which R is
assigned the relation 8x; y : A x y < x. If R had been called >, however,
1 2 > 1 2 would have been disconcerting. Of course, Z users will typically
wish to use suggestive names and symbols (such as >) for their relation and
function symbols; the point is that, since a relation is always declared over a
set (of, for example, pairs), the specier cannot expect all dened properties of
the relation to hold over objects not in that set, and these objects include the
super values in our semantics.
All these properties of our semantics have a counterpart in the alternative
approach to partiality in which we modify, for instance, the concept of a free
type within Z. For example, if we dene nats as a subset of the given type nats ,
and include the axiom 8x : nats :x > x, then we may or may not have fo > fo
in any model in which fo is assigned some value from nats nnats. Similarly,
the reinstatement, in the type-change approach, of the property 8x : T 9y :
T 0 f x = y ) (x; y) 2 f , where T; T 0 are types, and f has type P(T T 0), as
suggested in Section 4.1, is also possible in the semantic approach.
3rd Northern Formal Methods Workshop, 1998
17
The relationship between the two approaches to partiality may be formalised
as follows. Let be a specication with exactly the given types T1 ; : : : ; Tn, and
in which there is no use of the names Ti ; Ti# or Ti+ for any i. We derive from
the specication # by replacing the introduction of each given type Ti with
the introduction of the given type Ti#, and by adding the declaration Ti : P Ti#
for each Ti . We also modify our semantics I to J by deleting all occurrences of
`+' | our subset of Z thus becomes virtually its own semantics. If we represent
logical consequence in our I semantics with j=I and logical consequence in the
J semantics with j=J , then for any Z predicate in the language of , we have
j=I i j=J :
The reason for this is that, since neither nor makes reference to either the
Ti; Ti# or Ti+, we may correlate each Ti with the J interpretation of each Ti#,
and correlate, for each set expression S in or , the I -set S + with the J
interpretation of S . We then have a correspondence between the two semantics
for and the expressions in .
This does not mean, however, that the approaches are, for all practical
purposes, identical. One major dierence is the relative diculty in dening
certain concepts, such as [, even if we suppose they are dened via expansion
laws. In the rst approach, we may dene the union of any two arbitrary set
expressions S and S 0 by
fx : T j x 2 S _ x 2 S 0 g ;
where P T is the type of S and S 0. This denition will not always produce the
full union in the second approach, but only the union of the \dened" subsets.
On the other hand, for practical applications we may wish to construct only
the union of these dened subsets. For example, in the process of renement,
where we wish to construct a function satisfying our specication, it is likely
that the desired domain for our function will be the (maximal) set over which
the function's specication is total [10]. There seems to be no practical reason
for constructing the full union of sets with undened elements; the construction
of such sets in this paper was purely for theoretical considerations.
One, as yet unresolved, diculty with our semantic approach to partialfunction application is that we cannot always simplify expressions involving
undened terms as we would like. For example, we cannot simplify the expression (s o o) + o via the equation 8x : nats x + o = x, because we cannot show
that s o o is in the type nats; the principal benet of Arthan's approach [2] is
that such expressions may be simplied, since s o o would be assumed to be in
nats. One possible resolution to this problem is to allow untyped quantiers3.
For example, we might allow equations such as 8x x + o = x. Any applied
instance of predicates with untyped quantiers must have appropriate types.
For example, any applied instance, t + 0 = t, of the equation 8x x + o = x,
must be such that t + 0 and t are both well-typed Terms and have the same
type. This constraint on the application of predicates with untyped quantiers
should ensure that untyped quantiers do not introduce the sort of problems
(e.g. paradoxes) typing is designed to eliminate [8]. Consequently, we are not
advocating that all expressions be untyped.
3
Rob Arthan, private communication
3rd Northern Formal Methods Workshop, 1998
18
9 Conclusions
We have argued that it is advantageous to be able to include in our specications
functions applications that do not always return a value of the function's range,
but have shown that this can make typical Z specications inconsistent according
to the usual (intuitive, if not yet formalised) semantics of Z. We have also
presented two possible resolutions to this inconsistency problem, one involving
a modication to our specications, and the other a modication to our proof
systems.
We have shown that the two approaches are closely related, and thus have
some benets in common. Neither imposes constraints on the meaning of a
function itself; in particular, partial functions are not \totalised". Also, we do
not have a \bottom" object, and do not have the problem of deciding whether
or not our functions should be strict: the value of a function application to a
super value is simply an element of the set assigned to the type of the function
application. Perhaps most importantly, partial functions are not total from the
perspective of function application.
The major disadvantage of the specication-change approach is that it is an
imposition on the specier, even if automated tools make the necessary changes.
The inference-change approach avoids this problem, for the most part, but deviates from the classical view of and approach to reasoning about Z [8, 2, 9]. If
either of these approaches are to be used in practice, preference will probably
depend upon the perceived utility and pervasiveness (in real specications) of
non-total function application.
Irrespective of the acceptability of non-total function application, it is hoped
that this paper has claried the meaning of application in general, including
the application of relations that are neither total nor partial functions. With
respect to partial functions, Arthan [2] and Valentine [10] have argued that
we may assign some member of their range types to any application to objects
outside their domains. In this paper, we have shown further that this possibility
is implicitly built in to current reasoning systems for Z such as CADiZ: while
it is not immediately apparent that f o is an element of the type nats if f is a
partial function from nats to nats, we have shown that it is possible to prove in
CADiZ that fx : nats j true f xg is a subset of nats. Thus, any other approach
to partial-function application, such as the introduction of a bottom object ?
or the one we have proposed, will entail modication of the inference rules of
reasoners such as CADiZ.
There are several possible directions for future research. We have covered
only a fairly small subset of Z, omitting, most prominently, schemas and generics; inclusion of these is paramount for the utility of our work to Z users. There
is also more work to be done on the eects of non-total function application on
the issues of renement and inductive proof; recently, we have been developing
an approach to proving inductive properties of partial functions that utilises the
distinction our semantics makes between dened and undened function applications. Completeness results for our proof rules with respect to the described
semantics might also be developed: we should be able to show that our rules
support the proof of all possible properties of partial functions, at least for subsets of Z. In addition, we need to consider further the problem of simplifying
(rewriting) expressions involving undened terms.
3rd Northern Formal Methods Workshop, 1998
19
Acknowledgements
I would like to thank Ian Toyn for his detailed and helpful comments on successive versions of this paper, and to thank Ian, Rob Arthan, Robert Dormer,
Alan Frisch, and Sam Valentine for our discussions of the ideas presented.
References
[1] J-R. Abrial. The B-Book: Assigning Meaning to Programs. Cambridge
University Press, 1996.
[2] R.D. Arthan. Undenedness in Z: issues for specication and proof. In
CADE-13 Workshop on Mechanisation of Partial Functions. Springer, Rutgers University, New Brunswick, New Jersey, USA, 1996.
[3] H.B. Enderton. A Mathematical Introduction to Logic. Academic Press,
1972.
[4] H.B. Enderton. Elements of Set Theory. Academic Press, 1977.
[5] D.J. King and R.D. Arthan. Development of practical verication tools.
Ingenuity - the ICL Systems Journal, 11, May 1996.
[6] Z. Manna. Mathematical Theory of Computation. Prentice-Hall International Editions, 1974.
[7] G. Smolka, W. Nutt, J.A. Goguen, and J. Meseguer. Order-sorted equational computation. In H. Ait-Kaci and M. Nivat, editors, Resolution of
Equations in Algebraic Structures. Academic Press, 1989.
[8] J.M. Spivey. The Z Notation: A Reference Manual, Second Edition. Prentice Hall, 1992.
[9] I. Toyn. Proving conjectures using CADiZ. Available from the Department of Computer Science, University of York at the web address
http://www.cs.york.ac.uk/ian/cadiz/tutorials.html, 1997.
[10] S. Valentine. Inconsistency and undenedness in Z { a practical guide. To
appear in Proceedings 11th International Conference of Z User's, ZUM'98,
1998.
[11] C. Walther. Mathematic induction. In D.M. Gabbay, C.J. Hooger, and J.A.
Robinson, editors, Handbook of Logic in Articial Intelligence and Logic
Programming, Vol. 2: Deduction Methodologies. Clarendon Press, Oxford,
1994.
[12] J. Woodcock and J. Davies. Using Z: Specication, Renement and Proof.
Prentice Hall, 1996.
3rd Northern Formal Methods Workshop, 1998
20

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz